Thursday, July 9, 2015

OPM Provides Insight Into Why It Was Hacked

The Office of Personnel Management just released the steps that it has taken to protect over 21 million federal employees whose data was stolen in what may be the worst cyber security breach in history. Now keep in mind that these steps were selected during a time of high criticism against the agency and its director Katherine Archuleta. So I think that it's safe to say that it represents the best effort of Director Archuleta and presumably the new cyber security advisors that she brought onboard post-breach.

Here are the steps:

Providing a comprehensive suite of monitoring and protection services for background investigation applicants and non-applicants whose Social Security Numbers, and in many cases other sensitive information, were stolen.

Helping other individuals who had other information included on background investigation forms.

Establishing an online cybersecurity incident resource center.

Establishing a call center to respond to questions.

Developing a proposal for the types of credit and identity theft monitoring services that should be provided to all Federal employees in the future.

This reminded me of the letter that I received from Premera when they got breached (my wife and I were Premera customers), and had my USCG Top Secret security clearance still been active, I would have received an almost identical letter from OPM.

Then the realization hit me.

In crafting the above 5 steps, OPM revealed why it had been hacked so easily. It's because they didn't know (and still don't know) the intelligence value of what they had been trusted to protect - the SF-86 data. SF-86 forms are 120+ page monsters that consume your entire personal history along with all of your affiliations and points of contact in your personal, educational, and professional life. Clearance holders are interviewed every year so the information is kept current including foreign travel and foreigners that you've interacted with.

Now imagine that you work for a foreign intelligence service and I was a hacker who was offering you a chance to buy the SF-86 forms for every soldier serving in the Special Operations component commands of the Navy, Army, Air Force and Marines. These are the individuals who are responsible for direct action, counter-terrorism, snatch and grab, counter-narcotics, reconnaissance and who knows how many other secret operations.

Perhaps you work for a large South American drug cartel. How much would you be willing to pay for the SF-86 on every Drug Enforcement Agency employee who holds a clearance? If you had OPM's files and access to a data-mining tool like i2, Maltego, or Palantir, you could construct models that would reveal who was working a counter-narcotics operation in Medellín last year based upon their SF-86 foreign travel updates.

Imagine that you were looking to convince a U.S. government employee to work for you under threat of blackmail. The OPM database would provide you with a way to filter for those with backgrounds that make them highly vulnerable to extortion demands because the background investigators who conduct the interviews are looking for precisely that kind of information!

WHEN PROTECTING SOMETHING VALUABLE,

YOU MUST FIRST KNOW ITS VALUE.

When we speak with clients at Taia Global, the very first thing we do is show them how valuable their IP (intellectual property) is to foreign governments. We call that Target Asset Value™. Once the client understands his company's TAV, the client can properly evaluate what measures to put into place to protect the company's assets.

OPM clearly did not understand the concept of Target Asset Value as it relates to the government employees whose data they were responsible for. If they did, they wouldn't have proposed credit monitoring protection as a solution when the threats are so much greater than simple identify theft or an Amazon shopping spree. OPM's current solution is wholly inadequate and will continue to be so until Director Archuleta and her staff come to grips with the true value of the data that they were entrusted with, and lost.

1 comment:

Jeff: excellent points, but I noted a couple of errors. SF-86s are only filled out during initial processing and periodic reinvestigations (every 10 years for secret, every 5 years for TS). This database included everyone that every applied for clearance, regardless of whether one was granted, so some of the information will appear once and never get updated again. Individuals are required to self report major changes, such as address, marriage/divorce, legal issues, drug/alcohol incidents, personal travel, and certain foreign contacts (but not all). This reporting goes to their local security officer who would make entries into JPAS or similar systems outside of DoD, but it does not go back to OPM. This data only shows up in OPM when the individuals go through a periodic reinvestigation or occasionally when switching agencies or being accessed to certain programs.

Other than that, I think your assessment is correct. Some foreign intelligence service just one the jackpot and will be trading that information or portions of it around the world for years to come.